There were some great comments and threads online about my post yesterday regarding Secretary of Defense Pete Hegseth’s use of a Signal chat group to share what appeared to be details of the Yemen strikes against Houthi strongholds—a chat group that included a journalist, Jeffrey Goldberg (not Jonah Goldberg!), the editor-in-chief of The Atlantic magazine.

X user LeadingOrderSolution added some context on the Signal app:

1/ Using Signal was almost certainly a violation of federal record keeping statutes,

2/ The DOD previously (prior admin) banned the use of commercial messaging apps

3/ Signal is end-to-end secure but ..the messages once on the phone are only as secure as the person using the phone - only a simply passphrase locks the app,

4/There is a known issue with Signal and the Android notification system. Link below to support forum, the short is that if the wrong notification option is chosen by the user (ie, name and content) what they think is a shortened one line notification that can be swiped away is in fact a notification containing the entire plain text content logged in the Android system and available to anyone with access (legit or malware)

5/ Finally (sorry so long!) What else have the people in that group been discussing on Signal the past 60 days? What other plans, likely codeword, have been shared?

This, in fact, is likely true. I checked with Grok and got this back:

The DoD has explicitly discouraged the use of Signal on its government-issued devices for official business. A 2021 DoD Inspector General report criticized a former Defense Digital Service director for using Signal to discuss official information, stating it was not approved as an authorized messaging application and violated records retention policies, including compliance with the Freedom of Information Act (FOIA). A 2023 DoD memo further clarified that while Signal might be permitted for limited use, it cannot be used to "access, transmit, or process non-public DoD information" on government devices, reinforcing its unsanctioned status for sensitive communications.

Whatever you think SECDEF Hegseth and his coffee klatch discussed on Signal prior to our Yemen strikes, whether you believe Goldberg’s account (which was confirmed by the White House) or not, I think we can all agree that it would qualify as “non-public DoD information.” Therefore, whoever briefed the senior staffers and cabinet members on use of communications devices would have mentioned it.

Signal has, as one of its features, disappearing text. This means that whatever is posted on the group has a shelf life, and is gone fairly quickly. Unless you make a screen shot (like Goldberg was doing), any record of the conversation is quickly lost. This, if used for anything official at the higher levels of government, is a violation of FOIA among other federal laws. That’s what the DoD IG found, and it has not changed.

You have to question the motives behind Hegseth and others using this particular app to communicate. One possible motive is exactly that there’s no record of the conversation. Not that Hegseth or anyone else was covering up a scandal (though the fact Goldberg was “in” on the group is in itself a scandal), but we can surmise that Signal’s particular value may have been something they wanted to leverage.

I mean, that’s what Signal exists for. I’ll get into that in a bit.

Next, on X and in other places, users have claimed that the government has no other options, so Signal was the default. Cartoonist (and cartoon version of himself) Scott Adams posted:

Regarding the Signal app drama:

The next thing you will learn is that our top government officials have no secure and efficient way to communicate anything unless they are in the same room.

If you're thinking Why didn't they use the amazing government systems that are designed to be secure? you will learn one reason why Hillary had her own email system: The government systems don't work.

(Hillary probably had other reasons too. But that was a stated reason.)

The story you are unlikely to hear anywhere today is how bad the alternative "secure" systems are. Do they even have a secure group chat function? I doubt it.

Can you assemble a dozen top leaders in one room on short notice? Not usually.

If DOGE taught us anything, it's that all of our government systems are stone-age relics. My best guess is that every government official in both parties uses commercial apps for all but the most sensitive stuff. There is no real choice.

This is pure, unadulterated, BS. Anyone who believes it or posts similar stuff is sniffing a pile of bovine excrement. It’s not even remotely true.

Let’s start with Signal, and its maker. The Signal Foundation is a 501(c)(3) nonprofit, whose stated mission is to “protect free expression and enable secure global communication through open source privacy technology.” The foundation’s three planks are “Privacy First, Open Source, and Nonprofit.” Anyone can access Signal Messenger’s source code. The Russians, the Chinese, the Iranians, the Israelis, even the Canadians. It’s not designed to be private, in the sense of proprietary. It’s designed to offer privacy in the context of “keep your grubby government hands off my stuff.”

That’s just fine if it’s me and my compatriots discussing our plans to drop a metric ton of pink confetti on the next St. Patrick’s Day parade using commercial drones. But it’s not fine when the folks who run the government itself are using it to bypass public records laws or their own agencies retention policies.

Proof of this is the fact that the Signal Foundation has apparently made no attempt to pursue FedRAMP certification, which is the DoD’s measure of how an organization complies with NIST SP 800-53 (the Risk Management Framework), to protect government data. It’s a pretty rigorous process, and is required to gain access to the FedRAMP Marketplace, which is a list of products that comply and can be used in Moderate or High Impact risk applications. In other words, to properly safeguard data and comply with federal laws.

Compliance with cryptographic standards by itself is no guarantee of suitability for use by government officials.

Signal Messenger is not on the FedRAMP Marketplace. But contrary to Adams and others’ posts, there are plenty of options for group chats available to government employees using government-issued, hardened smartphones.

Here’s some of the apps that are on the FedRAMP Marketplace:

• Microsoft Teams (Microsoft 365/Office 365): authorized for Moderate or High. The “Microsoft 365 GCC High” and “Office 365 DoD” have FedRAMP High authorization, support secure messaging, chat and collaboration. The GCC is the Government Community Cloud and is authorized at Moderate level.

• Zoom Team Chat (Zoom for Government): authorized for Moderate baseline. Supports private file sharing, encrypted communications. Zoom is pursuing High authorization with the Veterans Administration as its sponsor agency.

• Cisco Webex (Messaging): “WebEx for Government” is authorized at Moderate and High levels. It supports secure chat, file sharing, integration with video and voice. This is used throughout the DoD.

• Slack (in process): “Slack Government Cloud Plus” is in the process of obtaining Moderate level authorization with the Department of Justice as its sponsoring agency.

Signal, and also WhatsApp (one of the Signal Foundation’s founders also developed WhatsApp), are not on the FedRAMP Marketplace list, and are, from what I found, not seeking FedRAMP certification.

None of this means that those applications not on the list can’t be used in any context. It just means they are not appropriate for use in official capacities. I know this rubs the grain the wrong way on the current administration story, but that’s the truth.

There are plenty of options for group chat should Hegseth and his group wanted to have a proper conversation, within the records retention and information protection requirements of the DoD. They could have used Teams, or Cisco Webex, or Zoom. But they didn’t. They used Signal Messenger. The main reason people use Signal is to stay out of the government’s prying eyes and grubby hands. Think what you want, but that’s the no-BS truth.

And one more word here as to qualifications. Scott Adams et. al., have no credentials dealing with classified data, or cybersecurity standards. I normally don’t talk about my non-writing life here, but I will disclose this. I hold an active CISSP certification for my day job. That’s “Certified Information Systems Security Professional” issued by the International Information System Security Certification Consortium (ISC2). These are not easy to get: think along the lines of CPA, or law degree. If anyone with a similar certification wants to argue cyber and privacy standards with me, I’ll take them seriously. Anyone else, not so much. Scott Adams—not at all.

The TL;DR here is that the Signal conversation should not have happened at all. Never mind the fact that somehow Jeffrey Goldberg got added to the group. That’s not the problem. That’s not why I called for SECDEF Hegseth and National Security Advisor Waltz to be fired. They violated OPSEC, they violated government records retention, privacy, and confidentiality rules. They should know better. They should be fired for it. They had no excuses. Don’t believe the BS.

Share

SOCIAL MEDIA ACCOUNTS: You can follow us on social media at several different locations. Official Racket News pages include:

Facebook: https://www.facebook.com/NewsRacket
Twitter/X: https://twitter.com/NewsRacket
Mastodon: https://federated.press/@RacketNews

Threads: https://www.threads.net/@theracketnews
David: https://www.threads.net/@captainkudzu71
Steve: https://www.threads.net/@stevengberman

Our personal accounts on the platform formerly known as Twitter:

David: https://twitter.com/captainkudzu
Steve: https://twitter.com/stevengberman
Jay: https://twitter.com/curmudgeon_NH

Thanks again for subscribing! Don’t forget to share us with your friends!

Share The Racket News ™